Rapid7 Blog

Using Nexpose to Set Short-Term Goals and Demonstrate IT Security Progress

POST STATS:

SHARE

So you're in charge of IT security. You create policies, you run scans, and you remediate, but how do you prove to management that you're actually making forward momentum? Nexpose Enterprise has the ability to generate reports that not only show security changes over time, but also help you predict what kind of change you can see in the near-term future.

Generate a Dynamic Asset Group:

Dynamic Asset Groups (DAGs) are logical groupings of systems that dynamically update themselves following each scan.

Choose to create a New Dynamic Asset Group. The real challenge is deciding what your criteria should be. Most organizations will use DAGs to divide their reporting based upon the groups who do the remediation work. These organizations usually base their DAGs on operating system names or on running services. This is just scratching the surface of what we can accomplish with the proper DAG logic. The question now becomes how to use DAGs to show forward momentum instead of strictly to subdivide your environment. We'll start with systems that are susceptible to Metasploit Modules, Malware Toolkits, and exploits available in the Offensive Security Exploit Database.

You can achieve this by clicking in the first dropdown menu and selecting Vulnerability Exposures. Select all three options to the right by using [SHIFT] Click. Click Search to find systems in your environment that match your criteria based on past scans (If you have not run any scans yet, you won't have any discovered systems).

Click Create Asset Group to save your criteria as a DAG. When you create your asset group, you'll want to leave it as dynamic. This ensures that your asset group will continue to modify itself over time. Choosing static will create an asset group that will contain a static list of the devices that matched your criteria at the present moment only. Finally, make sure to choose a name and description that gives you a good idea of what this DAG represents so you won't need to check the criteria each time!

This same approach can be applied to PCI compliance, devices at risk of data loss, tracking a specific vulnerability or type of vulnerability, tracking a particular piece of software, etc. just by adjusting the logic used when creating your DAG.

Report on What You Have Already Done:

Head over to the Reports tab and choose to Create a Report. Name this report Easily Exploitable Machines over Time and select the Executive Overview report template.

Click on the “” symbol to Select Sites, Assets, or Asset Groups. Make sure to change from Sites to Asset Groups and select the Easily Exploitable Systems DAG that we just created.

Once you have chosen a scope for your new report, adjust the Frequency to Run a Recurring Report After Every Scan (so you won't need to manually run the report in the future) and choose to Show Advanced Settings.

Expand the Risk Trend Graphs section under the Advanced Options and choose to Include Trend for the Number of Assets. Then choose an appropriate date range. I would recommend using either the 1 or 3 month options so you can show changes over a more relevant period of time.

You can also set the Baseline Scan Selection to your date of hire or some other significant point in time in order to show the impact you and your team have had on security since taking over. (Note that you must have been scanning with Nexpose at this point in time for this to appear in the report).

The resulting report will show that not only is your overall risk going down, but that you are remediating the right vulnerabilities to reduce your attack surface and reduce the number of easily exploitable machines over time!

Report on What You Need to do In the Near Future:

We've shown management what you did in the past, now it's time to set some goals. Choose to Create a Report again, but this time name it Easily Exploitable Machines Remediations and choose the Top Remediations report template. Select the Easily Exploitable Machines asset group again.

Choose to Run a Recurring Report After Every Scan like before. This will generate a recurring report that will show the top 25 remediations that will affect the machines in the Easily Exploitable Machines DAG. 25 is the default setting, but can be overridden by adjusting the Remediation Display setting under the Advanced Settings. It's also a good idea to adjust the Sort By option to take known exploits or malware toolkits into consideration.

The resulting report will give a brief overview of what you need to accomplish and will outline roughly how many devices and how much risk you will affect by making these changes.

A standard Nexpose remediation report will give you additional details on how to run each of these steps, but that report is usually too verbose for management. By taking this approach instead, you supply some nice graphics around what you have done, what you will do, and what the impact is expected to be.